packages/selinux-policy
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
selinux-policy/backport-Allow-samba-dcerpcd-use-NSCD-services-over-a-unix-st.patch
qsw33 703c655d68 merge patch
2023-08-24 11:33:18 +08:00

35 lines
2.0 KiB
Diff
Raw Blame History

From cac4a1f3b825bdc7f7eeaa4b219c95342ddd135c Mon Sep 17 00:00:00 2001
From: Zdenek Pytela <zpytela@redhat.com>
Date: Mon, 10 Oct 2022 16:39:50 +0200
Subject: [PATCH] Allow samba-dcerpcd use NSCD services over a unix stream
socket
Addresses the following AVC denial:
type=PROCTITLE msg=audit(08/26/2022 04:14:24.657:453) : proctitle=/usr/libexec/samba/samba-dcerpcd --libexec-rpcds --ready-signal-fd=23 --np-helper --debuglevel=0
type=PATH msg=audit(08/26/2022 04:14:24.657:453) : item=0 name=/var/run/nscd/socket inode=130894 dev=00:18 mode=socket,666 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:nscd_var_run_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0
type=SOCKADDR msg=audit(08/26/2022 04:14:24.657:453) : saddr={ saddr_fam=local path=/var/run/nscd/socket }
type=SYSCALL msg=audit(08/26/2022 04:14:24.657:453) : arch=x86_64 syscall=connect success=no exit=EACCES(Permission denied) a0=0x4 a1=0x7ffccfc81970 a2=0x6e a3=0x6 items=1 ppid=1 pid=93859 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=samba-dcerpcd exe=/usr/libexec/samba/samba-dcerpcd subj=system_u:system_r:winbind_rpcd_t:s0 key=(null)
type=AVC msg=audit(08/26/2022 04:14:24.657:453) : avc: denied { write } for pid=93859 comm=samba-dcerpcd name=socket dev="tmpfs" ino=130894 scontext=system_u:system_r:winbind_rpcd_t:s0 tcontext=system_u:object_r:nscd_var_run_t:s0 tclass=sock_file permissive=0
Resolves: rhbz#2121709
---
policy/modules/contrib/samba.te | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/policy/modules/contrib/samba.te b/policy/modules/contrib/samba.te
index 23af3a1304..227c22516d 100644
--- a/policy/modules/contrib/samba.te
+++ b/policy/modules/contrib/samba.te
@@ -1232,6 +1232,10 @@ optional_policy(`
miscfiles_read_generic_certs(winbind_rpcd_t)
')
+optional_policy(`
+ nscd_socket_use(winbind_rpcd_t)
+')
+
optional_policy(`
sssd_read_public_files(winbind_rpcd_t)
sssd_stream_connect(winbind_rpcd_t)
Reference in New Issue View Git Blame Copy Permalink